Even after adding an asset to an Anti-DDoS Origin paid edition instance, volumetric DDoS attacks can still trigger blackhole filtering, which blocks all inbound traffic to the affected IP address. The faster you deactivate blackhole filtering, the shorter the service interruption.
Manual deactivation in the Traffic Security console (see Deactivate blackhole filtering) introduces delays and is error-prone. For services that require high availability, set up automatic deactivation instead: configure a CloudMonitor alert to detect blackhole events on your Anti-DDoS Origin instance, then attach a custom rule that calls the DeleteBlackhole API operation as soon as the event fires.
Prerequisites
Before you begin, make sure you have:
An Anti-DDoS Origin paid edition instance with your asset added to it. See Add an object for protection.
Note: This solution requires calling an API operation of Anti-DDoS Origin and is available only for Anti-DDoS Origin instances. CloudMonitor sends blackhole filtering notifications only for assets added to Anti-DDoS Origin paid edition instances. In other scenarios, no messages about blackhole filtering are sent.
How it works
The automation pipeline has two stages:
Detect: CloudMonitor monitors system events from your Anti-DDoS Origin instance. When blackhole filtering is triggered on a protected IP address, CloudMonitor generates an alert and pushes an event message through your configured notification channel.
Respond: A custom rule attached to the alert automatically calls the DeleteBlackhole API operation to deactivate blackhole filtering without manual intervention.
Set up automatic deactivation
Step 1: Create a CloudMonitor alert rule
Log on to the CloudMonitor console.
In the left-side navigation pane, choose Event Center > System Event.
On the Event Monitoring tab, click Save as Alert Rule.
In the Create/Modify Event-triggered Alert Rule panel, set the following fields:
Field Value Product Type ddosbgpEvent Type DDoS AttacksEvent Level CRITICALEvent Name ddosbgp_event_blackholeFor all other parameters, see Manage system event-triggered alert rules.
Select a notification channel, then save the rule.
When blackhole filtering is triggered on a protected asset, CloudMonitor pushes an event message through the channel you selected. The message has the following structure:
{
"action": "add",
"bps": 0,
"pps": 0,
"instanceId": "ddosbgp-cn-78v17******",
"ip": "47.*.*.*",
"regionId": "cn-hangzhou",
"time": 1564104493000,
"type": "blackhole"
}Alert message fields:
| Field | Type | Description |
|---|---|---|
action | string | Event state. add means the event started; del means the event ended. |
bps | number | Throughput when the event was triggered. Unit: Mbit/s. |
pps | number | Packet rate when the event was triggered. Unit: packets per second (pps). |
instanceId | string | ID of the Anti-DDoS Origin instance. |
ip | string | IP address of the asset on which blackhole filtering was triggered. |
regionId | string | ID of the region where the Anti-DDoS Origin instance resides. |
time | number | Unix timestamp (milliseconds) when the event began. |
type | string | Event type. blackhole indicates a blackhole filtering event; defense indicates a traffic scrubbing event. |
Step 2: Create a custom rule to call DeleteBlackhole
Create a custom rule to automatically deactivate blackhole filtering by calling the DeleteBlackhole API operation.
For the full API reference, including request parameters and response codes, see the DeleteBlackhole documentation.
What's next
As an alternative or complementary measure, create rules that call the Alibaba Cloud DNS (DNS) API to resolve your domain name to the IP address of an Anti-DDoS Pro or Anti-DDoS Premium instance during an attack.